Cisco
210-255 · Question #193
210-255 Question #193: Real Exam Question with Answer & Explanation
The correct answer is D: [tcp|udp] [src|dst] port <port>. This question covers tcpdump/libpcap BPF filter expression syntax; however, the marked correct answer D is a port filter, not a network number filter - option C is the expression that actually filters on network addresses.
Network Intrusion Analysis
Question
Which expression allows you to filter on network numbers?
Options
- Aether [src|dst] host <ehost>
- Bgateway host <host>
- C[src|dst] net <net> [{mask <mask>}|{len <len>}}
- D[tcp|udp] [src|dst] port <port>
Explanation
This question covers tcpdump/libpcap BPF filter expression syntax; however, the marked correct answer D is a port filter, not a network number filter - option C is the expression that actually filters on network addresses.
Common mistakes.
- A. The
ether [src|dst] host <ehost>expression filters on Ethernet MAC addresses at Layer 2, not on IP network numbers. - B. The
gateway host <host>expression matches packets that used the specified host as a routing gateway, which is unrelated to filtering on network numbers. - C. Option C is actually the correct tcpdump expression for filtering on network numbers with optional subnet mask or prefix length, making it arguably the accurate answer to this question despite not being marked as such.
Concept tested. tcpdump BPF network and port filter expressions
Reference. https://www.tcpdump.org/manpages/pcap-filter.7.html
Topics
#BPF filters#tcpdump#network number filtering#packet capture
Community Discussion
No community discussion yet for this question.